---
title: Static Credentials
description: Set up AWS static credentials for Terrateam - the easiest way to get started
---

import { Steps } from '@astrojs/starlight/components';
import { Card } from '@astrojs/starlight/components';

<Card title="Quick Start" icon="rocket">
Static credentials are the fastest way to get Terrateam working with AWS. You'll create an AWS IAM user with programmatic access and store the credentials as GitHub secrets.
</Card>

## Setup Steps

<Steps>

1. ### Create an IAM User

   Create a dedicated IAM user for Terrateam in your AWS account:

   ```sh
   aws iam create-user --user-name terrateam
   ```

2. ### Attach Permissions Policy

   Attach an IAM policy to give Terrateam the necessary permissions. We suggest `PowerUserAccess` as a starting point:

   ```sh
   aws iam attach-user-policy \
   --policy-arn arn:aws:iam::aws:policy/PowerUserAccess \
   --user-name terrateam
   ```

   :::note[Choose Your Policy]
   `PowerUserAccess` is just a suggestion for getting started quickly. You should choose the policy that best fits your security requirements:
   - **PowerUserAccess** - Broad permissions, good for testing and development
   - **Custom policy** - More restrictive, recommended for production environments
   - **Other AWS managed policies** - Choose based on your specific needs
   :::

3. ### Create Access Keys

   Generate access keys for the terrateam user:

   ```sh
   aws iam create-access-key --user-name terrateam
   ```

   This command will output something like:
   ```json
   {
     "AccessKey": {
       "UserName": "terrateam",
       "AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
       "Status": "Active",
       "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
     }
   }
   ```

   :::caution[Save Your Keys]
   Copy the `AccessKeyId` and `SecretAccessKey` values - you'll need them in the next step. The secret access key will only be shown once.
   :::

4. ### Set GitHub Secrets

   Add the AWS credentials as secrets to your GitHub repository:

   ```sh
   # Set your repository (replace with your actual org/repo)
   export REPO="your-org/your-repo"

   # Create the AWS Access Key ID secret
   gh secret --repo "$REPO" set AWS_ACCESS_KEY_ID

   # Create the AWS Secret Access Key secret
   gh secret --repo "$REPO" set AWS_SECRET_ACCESS_KEY
   ```

   When prompted, paste the corresponding values from step 3.

</Steps>

## Security Considerations

:::caution[Security Best Practices]
While static credentials are the easiest way to get started, consider these security practices:

- **Use least privilege**: Only grant the minimum permissions Terrateam needs
- **Rotate credentials regularly**: Update access keys periodically
- **Monitor usage**: Use AWS CloudTrail to monitor Terrateam's activities
- **Consider OIDC for production**: For production environments, [OIDC setup](./oidc-setup) provides better security
:::

## Next Steps

Now that you have AWS authentication configured, you are now able to use Terrateam for plan and apply operations against AWS resources.

- Read about [Terrateam configuration](/getting-started/configuration) to customize your workflows
- Learn about [advanced workflows](/advanced-workflows/) for more complex setups
- Consider migrating to [OIDC authentication](./oidc-setup) for enhanced security
